Monitoring
Alertmanager, Grafana, Datadog, PagerDuty
Forward existing alert payloads as-is. No template authoring, no per-receiver mapping. Herald reads them and decides whether they warrant an RCA.
Triggers
One URL. Every system.
Herald is Hyground's external-notification gateway. A single endpoint accepts any JSON over HTTP, and an LLM chain decides whether it is an alert worth an RCA or just context to summarise. Alertmanager, Grafana, PagerDuty, Datadog, GitHub, Jira, ServiceNow, cron, curl: anything that speaks JSON wires up the moment it can POST.
Endless integrations
Integration is the URL, not code.
No per-source adapters. Two LLMs (an injection_judge and an alert_extractor) reason over payload semantics, so any new producer is wired up the moment it can POST JSON to /api/herald/webhook. Webhooks, cron jobs, scripts, monitoring stacks, ticket systems, deployment tooling all enter through the same door.
Source control & ITSM
GitHub, Jira, ServiceNow
Issue updates, deployment events, change tickets. Anything you would otherwise wire into a notification rule can become a Hyground investigation.
Custom
Cron, curl, anything that speaks JSON
A cron job that posts a daily report. A bash one-liner from your laptop. A custom script in a pipeline. If it can POST JSON, it is a trigger.
Two layers of defence
Every payload passes both gates before a single agent token is spent on it.
Ingress
Who can call the endpoint
oauth2-proxy, mTLS, shared-secret, or IP allow-list, picked per deployment. The same gate the rest of Hyground uses, applied at the webhook ingress.
Semantic
What reaches an agent
50 KB payload cap, JSON-shape check, an injection_judge LLM, and `<untrusted_content>`-fenced framing. Payloads scoring above the injection threshold are rejected before they ever reach the agent. The framing template tells the model to treat anything inside the tag as data, never instructions.
Stateless. Async by design.
Webhook callers get a fast acknowledgement. Investigation happens in the background.
01
Producer posts JSON
Herald returns 202 Accepted in milliseconds. The caller is done: no long-lived connection, no retries to babysit.
02
Triage + RCA in the background
The injection_judge classifies risk and shape. The alert_extractor structures alert-like payloads. The dispatcher opens a session on the root agent with the framed payload as the first message.
03
Notify Slack or Teams
An alert-received card lands immediately so the team knows Hyground is on it. When the session completes, a second card links to the full transcript and findings.
Want to go deeper?
Triggers compose with the rest of the platform
An incoming trigger is just an entry point. Once a session is open, every Skill, every connected adapter, every scheduled workflow is available to it.
Governed Autonomy
Herald is the front door. The same governance that applies to any Hyground session applies here: read-only by default, every investigation auditable, every action recommended with evidence to a human in the driver's seat.
The ingress gate decides who can post. The semantic gate decides what reaches an agent. The session log captures everything that happens after.
Point a system at the URL.
See Herald accept a payload from one of your existing producers and turn it into an evidence-backed session. Bring an Alertmanager rule, a Datadog monitor, or a curl command.
See Hyground in action
Check out our sandbox or schedule a demo with our team and experience sovereign AI for DevOps firsthand.